Title

AIX must turn on SSH daemon reverse name checking. (Cat II impact)

Discussion

If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources.

Check Content

Check the SSH daemon configuration for the "VerifyReverseMapping" setting using command: # grep -i VerifyReverseMapping /etc/ssh/sshd_config | grep -v '^#' VerifyReverseMapping yes If the setting is not present or the setting is "no", this is a finding.

Fix Text

Edit the "/etc/sshd/sshd_config" file and add the following line: VerifyReverseMapping yes Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

Additional Identifiers

Rule ID: SV-215298r508663_rule

Vulnerability ID: V-215298

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.